I use postscreen postscreen to prevent spam mails. Potential spam messages are rejected directly before they reach the server and the content must be scanned.
You shouldn´t use postscreen if a Mail-User-Agents (MUAs) should be able to connect. Usually the TCP-Port 25 is only used for Mail-Transfer-Agents (MTAa) since MUAs should use the Submission-Port (TCP 587). If you would allow connects on port 25 just use a second ip and disable postcreen for that ip. Be sure, the second ip hat no mx-record in the DNS.
First change /etc/postfix/master.cf:
new:
#smtp inet n - n - - smtpd
smtpd pass - - n - - smtpd
smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
old:
smtp inet n - n - - smtpd
#smtpd pass - - n - - smtpd
#smtp inet n - n - 1 postscreen
#tlsproxy unix - - n - 0 tlsproxy
#dnsblog unix - - n - 0 dnsblog
Next, some modicifatons for /etc/postfix/main.cf:
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
List all “always-whitelisted-ip” in /etc/postfix/postscreen_access.cidr stehen alle IP, die immer whitelisted sein sollen. I add some monitoring-ip to this file:
192.168.254.0/24 permit
213.133.113.83 permit
213.133.113.84 permit
176.9.89.165 permit
To allow DNSBL with different lists with weights, i use black- and whitelists.
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
zen.spamhaus.org*3
bl.mailspike.net*3
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
spamtrap.trblspam.com
dnsbl.sorbs.net=127.0.0.[2;3;6;7;10]
ix.dnsbl.manitu.net
bl.blocklist.de
#whitelist
list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2
list.dnswl.org=127.0.[0..255].[2..3]*-3
iadb.isipp.com=127.0.[0..255].[0..255]*-2
iadb.isipp.com=127.3.100.[6..200]*-2
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl = 1h
/etc/postfix/dnsbl_reply contains:
# Secret DNSBL name Name in postscreen(8) replies
secret.zen.spamhaus.org zen.spamhaus.org
How weighting works:
postscreen_dnsbl_threshold = 3 is the minimum score for rejecting a connect. The lists are differently weighted (*3 for zen.spamhaus.org or *2 for b.barracudacentral.org). Whitelists have a negativ weight.
All connects with a DNSBL-Score >= 3 should be rejected (default).
Postscreen adds the individual weight of the list (i.e. bl.mailspike.net*3 rejects if the score is >= 3+3). If the weight is negativ, the value is reduced
To allow broken clients and connects from “mynetworks”:
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
And the same for TLS:
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_use_tls = $smtpd_use_tls
Some more settings; most of them are postscreen´s defaults:
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_watchdog_timeout = 10s
To test the config, add
soft_bounce = yes
to /etc/postfix/main.cf. Connects will be rejected with a “try again”.
Restart postfix with /etc/init.d/postfix reload
to load the changes.
To use postscreen to rejected connects, set soft_bounce = no
.
Update 03/13/13: remove combined.njabl.org=127.0.0.[2;4;9]*2
(Blacklist NJABL geht ausser Betrieb)
Hallo! Kann postscreen auch eine Liste mit IP-Adressen einlesen, die geblockt werden sollen?
Grüße
Andreas
Hi! Super Einleitung in das Thema Postscreen und damit der Verbunde Kampf gegen SPAM!
Gehrade Server-neulinge haben so die Möglichkeit effektiv ihre Kisten gegen SPAM zu Schützen.
Ich selber hab mir diesen Artikel als Vorlage genommen um mehrer MailServer einzurichten da die Werte
weitgehenst passen für den Produktiven Betrieb!
Lieben dank sargt ESH
Hallo,
danke für das tolle Tutorial. Aber ein Problem habe ich: meine eigenen Nutzer werden beim Versenden von Mails auch geblockt. Wenn mir ein anderer Nutzer eine Mail schreiben wird bekommt er ein Problem da seine IP blacklisted ist. Kann man für eigene, angemeldete Nutzer bzw. deren Mails den Filter umgehen?
User solle nicht den Port 25, sondern den Submission-Port (587) nutzen. Auf den reagiert postscreen auch nicht.
Ich habe seit gestern postscreen auf meinem Server konfiguriert. Aber ich kann jetzt von Thunderbird und meinem PC über meinen Server (port 587) keine Email mehr verschicken. Bekomme:
450 4.7.1 Service unavailable; client [80.143.67.X} blocked using zen.spamhaus.org
Hat sich erledigt
Und wie?
Danke für das Tutorial. Ein kleiner Hinweis nur: für den Ungeübten ist die Gliederung etwas verwirrend wegen der eingeschobenen Inhalte von /etc/postfix/dnsbl_reply und /etc/postfix/postscreen_access.cidr.
Gut, wer die Syntax kennt, wird sicher wissen, daß das meiste in main.cf gehört, aber ein “weiter in main.cf” eingeschoben, würde letzte Zweifel ausräumen.
Hatte port 25 in Thunderbird eingestellt statt 587
Dieser Kommentar bezog sich auf meinen anderen Post zu Fehler 4.7.1 Service unavailable.
Super! Danke für das schnelle und einfache HowTo
wir haben mit sehr gute Ergäbnisse erziehlt nach der einrichtung von postscreen auf unseren MTA Systemen. Auch die Auslastung der MailSysteme ist spürbar nach unten gegangen…
Boah dieser Satz….
> Man kann aber auch postcreen für eine weitere IP nicht einsetzen, wenn zu dieser kein MX-Record im DNS definiert ist.
> Dann ist einen Einlieferung durch einen MUA dort problemlos möglich.
Heisst das auf Deutsch:
Man kann Postscreen nur für eine IP einsetzen zu der ein MX Record im DNS eingetragen ist. Nur dann kann ein MUA dort Mails anliefern.
Oder verstehe ich das falsch?
Das verstehst Du falsch. Postscreen kann mehrerer IPs. Du kannst aber einen postfix für MTA (also MX-Record) auf einer IP und für MUAs (User) auf einer 2. IP laufen lassen. Und auf der 2. dann halt ohne Postscreen.
Yes, the settings, permissions and ownerships are indeed correct. It’s really strange but after every incoming mail, that error is thrown.
It also seems the whitelisting you do with dnswl is not working with me. All DNS servers queried couldn’t respond to even the test hostname:
host 2.0.0.127.list.dnswl.org
-> Host 2.0.0.127.list.dnswl.org not found: 3(NXDOMAIN)
Tried with many different nameservers (Google, OpenDNS, Colocation of Server Housing…)
And the dir /var/lib/postfix has 755?
You can also try to delete the cache and restart postfix afterwards.
Yes permissions weren’t the problem.
Indeed, for everyone else having the problem getting the aforementioned warning of postscreen on close events, this is what I did:
service postfix stop
cd /var/lib/postfix
mkdir -p /var/spool/postfix/var/lib/postfix
mv postscreen_cache.db /var/spool/postfix/var/lib/postfix
ln -s /var/spool/postfix/var/lib/postfix/postscreen_cache.db
service postfix start
This moves the postscreen_cache.db to the chrooted postfix directory and symlinks it to the directory out of it, as in Debian Wheezy it seems postscreen tries to access that file within and out of the chroot on various occasions. The close event seems to come from inside the chroot, the normal cleanup procedures hit against the file at its normal location in /var/lib/postfix.
So symlinking it to the un-chrooted dir and moving the real file to the jail seems to be the best possibility, as the other way round the chroot won’t follow symlinks.
Greets
Jens
Thanks Jens, I think you just solved my problem with this solution. The log message was bugging to no end and I couldn’t figure out why the file wouldn’t be accessible while permissions where perfectly fine.
Hi Florian,
did you also encounter the problem with postscreen_cache.db?
Nov 10 11:28:36 servername postfix/postscreen[18906]: close database /var/lib/postfix/postscreen_cache.db: No such file or di[120/9530]
ossible Berkeley DB bug)
I’d guess it isn’t belonging to the DB bug, but rather has something to do with postfix/postscreen running chroot’ed and unable to access the file out of its chroot?
Greets
Jens
I´m running postfix non-chrooted. I think you should add /var/lib/postfix/* to the jail and/or check the permissions.
OK, that was my fault (did run it on another server in a chroot setting). On that machine though, it runs without and still throws that error.
File exists, permissions are right. Somehow it seems I’m overlooking the obvious…
The machine runs ISPC3 and was set up with their documentation and settings. We just wanted that instance a bit hardenend against spammers 😉
The permissions are 600 and the owner is postfix.postfix. I think you missed something. If you woud like to see my postfix-config just leave me an email.
hello
This tutorial will work with it to a server with a single IP
thank you
Michel
You can use postscreen with any postfix-setup.
Oh, by the way, every time I post my comment in your article, your blogging software redirected me to a German version of your site. I came from Google Search and your website is in English.
Hi, I have a question. Don’t you need a comma after each blacklist/whitelist lines in postscreen_dnsbl_sites and before postscreen_dnsbl_action? I came across another website before yours and yours does not indented unlike the other one.
I’m running Postfix 2.9 in Ubuntu Server 12.04 running in a virtual private server and thanks to b.barracudacentral.org, I haven’t gotten any spam last month until recently, one of them being death/funeral announcement and I’ve gotten even more spam this month of March. I don’t know when I’ve added sbl-xbl.spamhaus.org but I did add bl.spamcannibal.org since one IP address is in their blacklist. Spammers are getting very desperate for trying to send spam to my “gp(at)” e-mail address.
Anyway, I will implement postscreen configuration since I am in need of weighting.
I don´t use a comma after each line but spaces in front of each bl/wl. I just reformated the post. Thanks.
You’re welcome. The config is a lot more clearer now, so I have implemented postscreen, commented out reject_rbl_client lines, and reloaded Postfix. Checking my /var/log/mail.log tells me everything is fine and Postfix must have accepted my configuration.
I will see how this goes and monitor my mail log for any problems that might prevent legitimate mail from going through.
Thanks for writing the article.